Managing Risk & Compliance in the Contact Centre

Cybercrime figures for global fraud have reached a 55% year-on-year increase in the UK, a fact that security and fraud professionals had always suspected. The use of data to deliver even more omnichannel targeting can have adverse effects on the customer experience and increase regulatory risk, especially in the context of GDPR and e-Privacy.

With ever-increasing amounts of data flowing across ever-blurring geographical boundaries, the question of how to harmonise and protect EU consumers’ personal data across the community, and beyond, has been both difficult and increasingly important. We all agree that protecting that data is a challenge. Indeed, governments are scrambling to catch up with criminals by developing regulations to cope.

Regulatory risk has never been so much in the limelight. Imminent regulations are on the horizon – the 2nd Payments Service Directive (PSD2), the 4th & 5th Anti-Money Laundering Directives (4 & 5AMLD), the General Data Protection Regulation and e-Privacy Directive, Lex Specialis to the GDPR, and the Payment Card Industry Data Security Standard (PCI DSS). Along with the many other regulations being developed worldwide, will you be prepared?

Acronyms galore

Regulators have increasingly been more active with their enforcement actions, placing regulatory/compliance risk higher up the Board agenda. When looked at together, these regulations show many synergies, as well as potential overlaps, and we note a distinct convergence between cybersecurity and fraud/financial crime prevention, a trend which must be welcomed.

Call centre operations are well advised to approach these regulations holistically, not as separate distinct programmes, as much efficiency can be derived. This systemic complexity can only be handled through better automation, intelligently and efficiently supported by technology. Such a strategy, whilst well suited to improve efficiency, agility and speed, is now also crucial to solving regulatory and security challenges.

Enter Regtech

With this backdrop, it is unsurprising to witness the emergence of technology solutions aiming to help ease the burden of regulatory requirement, and a new category has emerged: Regtech. If we go by the Financial Conduct Authority Definition of Regtech as the “adoption of new technologies to facilitate the delivery of regulatory requirements”, we now finally see a welcome, market-driven, convergence of information security and fraud prevention solutions. No longer are technology security and compliance offerings confined to the Security teams: the fraud prevention, finance, marketing, HR, risk and regulatory audit departments are now the new audience. And that’s a good thing.

$25 Million. The fine AT&T was forced to pay in 2015 because of lax security in overseas call centres. US regulators charged the company after it was found that employees at the contact centres provided and sold personal data to stolen mobile phone traffickers, who used the information to satisfy “unlock” request requirements, allowing them to sell the devices in secondary markets. The breach potentially exposed around 280,000 AT&T customers to identity theft.

Compliance-as-a-Service

Securing customer information can be costly and often means compromising on the customer experience. The many data security and protection obligations make many contact centre managers enforce a “clean room” environment where agents are heavily supervised and controlled, with no communications and very little personal freedom. It is therefore not surprising that staff turnover is very high, because agent morale is extremely low. But there are other ways…

When looking at fraud and security compliance offerings, call centre managers shouldn’t have to compromise and are advised to seek solutions that:

Are truly carrier independent to avoid locking themselves into multi-year calls and lines deal with a single provider for all locations so they can retain the ability to select the best partners to work with, allowing to “right size” the regulatory challenges.

The above steps will go a long way to address many of the requirements of all the regulations mentioned earlier, thus achieving substantial economies of scale.

The role of innovation

Technology has never evolved faster. Data has never been more valuable or so desired. Contact centres must mitigate the risk: protect their reputation; protect their customers. Innovation is required to add certainty to service – enhancing security without compromising on the customer experience.

Recent innovations such as the TrustCall suite of products remove agent exposure to sensitive information and streamline the customer experience and ensure that any information stored in your environment remains secure, drastically reducing the scope of your regulatory and compliance requirements.

The best way to protect organisations from losing sensitive data is to completely avoid being exposed to it in the first place. All you need to know is that you got paid.

The challenge of compliance means that of all the calls you receive within your contact centre, only a few generally involve a payment. But customer information must still be protected in accordance with various standards, including the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR).

TrustCall On-Demand is a patented innovation that protects your reputation by routing all sensitive data during a transaction through our Level 1 PCI DSS provider. As well as reducing the security controls required in-house, there’s no need for banks of IVRs sitting across all your lines as our software solution achieves the same result in a cost-effective manner. It is only invoked when a card is used to make a payment during a call. That means you only pay when you use the service, giving you a predictable total cost of ownership. And the call doesn’t get interrupted, so your agent can concentrate on what they do best: providing excellent customer service.

Is it who you think it is?

In regulated industries, contact centres are required to employ multi-factor authentication to meet regulatory obligations, including FFIEC in the United States and PSD2 in Europe. This second layer, be it a PIN, hardware token or something user-inherent such as a biometric characteristic, can thwart fraudsters who have gained access to the first layer of authentication information.

Compared to sectors where verification and authentication mechanisms are well established, many contact centres are still inconsistent with their processes.

67.1% believe cloud/hosted technologies provide better security

*80.2% believe that cloud/hosted technologies allows them to pay only for what they use.

This makes them ideal targets for fraudsters and cybercriminals, compounded by the process being a mundane and irritating experience for agents, with many employees becoming complacent about their responsibilities. It’s also a drain on productivity – just as the need to simplify customer on-boarding and self-service has become a top business priority.

These commercial pressures, combined with the need to meet appropriate governance and regulatory compliance, has created the need for an automatic, compliant and resilient verification solution.

Are you prepared?

Regardless of industry, information security always comes down to common sense, and following the principles below will have a substantially beneficial impact for all regulatory requirements:

Ensure that personal data is safe

Ensure that systems only collect the data they need, and review data-retention policies

Unfortunately, generally because of operational constraints, basic security principles are rarely followed, but the impending regulatory deadlines of 2018 will hopefully impact that trend for the better. Fortunately, a strategy applied within the context of an enlightened risk management framework, with the appropriate governance, operational processes and culture to support it, will go a long way to addressing these challenges.

Number of UK calls into the contact centre requiring Identification & Verification

Inbound agent-handled calls per year: 8.15bn

Requiring ID&V: 68% or 5.542bn

ID&V done by agent: 94.2% or 5.22bn calls per year ID&V’ed by agents

Number of hours doing ID&V

Mean average time taken to ID&V using agent: 32 seconds or 46.4m hours per year spent being ID&V’ed by agents

1.13 hours per year per customer, or almost 3 days of the average customer’s life!

Total cost of credit card fraud in the UK

Pindrop statistics show the cost of credit card fraud is 51p per call (The 2016 UK CC Fraud Report), so for 8.15bn inbound calls per year this is a total cost of £4.16bn per year in the UK.

With thanks to Steve Murray is a Director at TrustCall, an IPI company.